REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKMMCISP.RVW   20021106

"Mike Meyers' Certification Passport CISSP", Shon Harris, 2002,
0-07-222578-5, U$29.99/C$44.95
%A   Shon Harris shonharris () hotmail com www.intenseschool.com
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2002
%G   0-07-222578-5
%I   McGraw-Hill Ryerson/Osborne
%O   U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0072225785/robsladesinterne
%P   422 p.
%T   "Mike Meyers' Certification Passport CISSP"

There is a "Check-In" foreword, which seems to be about the series,
and an introduction that provides a very terse overview of the CISSP
(Certified Information Systems Security Professional) exam.

The book consists of ten chapters, one for each of the CBK (Common
Body of Knowledge) domains.  "Security Management Practices"
demonstrates that the book is perhaps a bit too thin: illustrations
and other materials from Harris' "All-in-One" guide (cf. BKCISPA1.RVW)
appear, but most of the tutorial material is vague and generic.  (When
covering "controls," a vital concept in this domain, the text provides
an "exam tip" that controls should be visible enough to deter
misdeeds, but not visible enough to be avoided, but completely
neglects the second axis of the control matrix, which covers
deterrence, detection, and so forth.)  The review questions at the end
of the chapter are better than some, but still quite simplistic.  As
well as being limited, the content is suspect in places: a "cognitive
password" is very insecure, and why would a retina scanner blow air
into your eye?  The "Computers 101" part of "Security Architecture and
Models" is all right, although very brief and with significant gaps,
but the formal models are simplified to a problematic extent (and the
explanation of lattice models is flatly wrong).  The "Physical
Security" chapter is probably adequate for study purposes.  Even after
all of the above, I was surprised at how poor the material in
"Telecommunications and Networking Security" was.  The TCP/IP content
is definitely insufficient, and specific errors are made in a number
of areas (such as the ability of PPTP [Point-to-Point Tunneling
Protocol] to encrypt data).  "Cryptography" is limited to little more
than the terms involved, and it is odd how much space is wasted on
editorial comment.  (The text could also use a bit more organization:
a number of topics appear, in isolation, at a fair distance away from
related items.)  "Disaster Recovery and Business Continuity" is terse,
but possibly sufficient for study purposes.  The material in "Law,
Investigation, and Ethics" is problematic: it appears to be somewhat
dated and has some important gaps, such as corporate liability,
interviewing, and the process of incident response.  A great deal of
the content in "Application Development" seems to have been parroted
without any understanding: the iterative class of systems development
models are not collected, the spiral model description is incorrectly
described, the point of Java as a hybrid of compilation and
interpretation seems to have been completely lost, and the malware
text is rife with errors.  "Operations Security" doesn't have as many
mistakes, but it seems to be pretty much of an unorganized grab bag of
topics.

Yes, I can see the need (or desire) for a short and quick reference to
the CISSP CBK.  However, if you are going to take on that task, you
have to make every single word (and figure) count.  This book doesn't. 
Since McGraw-Hill also published "CISSP All-in-One Certification Exam
Guide" they should probably have heeded the old dictum that "if it
ain't broke, don't fix it."  As it is, this work is well back in the
CISSP pack, along with "Secured Computing" (cf. BKSCDCMP.RVW) and
"CISSP for Dummies" (cf. BKCISPDM.RVW).

copyright Robert M. Slade, 2002   BKMMCISP.RVW   20021106



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.